Speaker Andrew Bartlett
Time 2010-01-19 13:30
Conference LCA2010

Making Samba V4 safer to install. As extra domain controller or as a cluster of domain controllers.

Sambe4 was only usable for Greenfield sites, sites with only one domain controller, sites prepared to cut and run.

Currently no way to go back again to previous system if migrating to Samba 4. No way to replicate changes back.

As of Samba4 alpha 11 no possible to replicate changes bidirectional. Not fool proof, Samba could replicate currupt data. We are working on this.

LDAP replication not good enough. LDAP doesn’t have transaction report. Our current backends don’t either, but we need both transactions and replication. LDAP doesn’t replicate with Windows.

Native replication with Windows.

This is different to ctdb, which was designed to cluster something that wasn’t designed to be clustered. ctdb is complicated, we won’t be clustering Samba4 in that way as the protocol has support for clustering.

Samba must be the LDAP listener, we can’t have another LDAP server listening on this port to implement the protocol support correctly, however we can use another LDAP server as the backend.

Kerberos - Heimdal + plugins.

DNS - need to have DNS integrate with LDAP, because Microsoft distribute DNS changes via DRS. There are plugins to do this.

We have a good working relationship on Microsoft, engineers cooporate because they enjoy doing so. There is a legal requirement that Microsoft assist, however this is not the motivating factor of the egineers who help because the enjoy meeting with the Samba team and hacking code.

read-only domain controller. Put in insecure branch office, so branch server can’t infect corporate network and attacker can’t break into corporate network.

Take backup of domain. Can’t say it is perfectly safe, as it is new code. It shouldn’t be too dangerous.